Wei's

Ethernaut - 26. DoubleEntryPoint

12 Sep 2022 ethernaut  solidity 

Difficulty: πŸŒ•πŸŒ•πŸŒ‘πŸŒ‘πŸŒ‘

Contract

// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;

import "@openzeppelin/contracts/access/Ownable.sol";
import "@openzeppelin/contracts/token/ERC20/ERC20.sol";

interface DelegateERC20 {
  function delegateTransfer(address to, uint256 value, address origSender) external returns (bool);
}

interface IDetectionBot {
    function handleTransaction(address user, bytes calldata msgData) external;
}

interface IForta {
    function setDetectionBot(address detectionBotAddress) external;
    function notify(address user, bytes calldata msgData) external;
    function raiseAlert(address user) external;
}

contract Forta is IForta {
  mapping(address => IDetectionBot) public usersDetectionBots;
  mapping(address => uint256) public botRaisedAlerts;

  function setDetectionBot(address detectionBotAddress) external override {
      require(address(usersDetectionBots[msg.sender]) == address(0), "DetectionBot already set");
      usersDetectionBots[msg.sender] = IDetectionBot(detectionBotAddress);
  }

  function notify(address user, bytes calldata msgData) external override {
    if(address(usersDetectionBots[user]) == address(0)) return;
    try usersDetectionBots[user].handleTransaction(user, msgData) {
        return;
    } catch {}
  }

  function raiseAlert(address user) external override {
      if(address(usersDetectionBots[user]) != msg.sender) return;
      botRaisedAlerts[msg.sender] += 1;
  } 
}

contract CryptoVault {
    address public sweptTokensRecipient;
    IERC20 public underlying;

    constructor(address recipient) public {
        sweptTokensRecipient = recipient;
    }

    function setUnderlying(address latestToken) public {
        require(address(underlying) == address(0), "Already set");
        underlying = IERC20(latestToken);
    }

    /*
    ...
    */

    function sweepToken(IERC20 token) public {
        require(token != underlying, "Can't transfer underlying token");
        token.transfer(sweptTokensRecipient, token.balanceOf(address(this)));
    }
}

contract LegacyToken is ERC20("LegacyToken", "LGT"), Ownable {
    DelegateERC20 public delegate;

    function mint(address to, uint256 amount) public onlyOwner {
        _mint(to, amount);
    }

    function delegateToNewContract(DelegateERC20 newContract) public onlyOwner {
        delegate = newContract;
    }

    function transfer(address to, uint256 value) public override returns (bool) {
        if (address(delegate) == address(0)) {
            return super.transfer(to, value);
        } else {
            return delegate.delegateTransfer(to, value, msg.sender);
        }
    }
}

contract DoubleEntryPoint is ERC20("DoubleEntryPointToken", "DET"), DelegateERC20, Ownable {
    address public cryptoVault;
    address public player;
    address public delegatedFrom;
    Forta public forta;

    constructor(address legacyToken, address vaultAddress, address fortaAddress, address playerAddress) public {
        delegatedFrom = legacyToken;
        forta = Forta(fortaAddress);
        player = playerAddress;
        cryptoVault = vaultAddress;
        _mint(cryptoVault, 100 ether);
    }

    modifier onlyDelegateFrom() {
        require(msg.sender == delegatedFrom, "Not legacy contract");
        _;
    }

    modifier fortaNotify() {
        address detectionBot = address(forta.usersDetectionBots(player));

        // Cache old number of bot alerts
        uint256 previousValue = forta.botRaisedAlerts(detectionBot);

        // Notify Forta
        forta.notify(player, msg.data);

        // Continue execution
        _;

        // Check if alarms have been raised
        if(forta.botRaisedAlerts(detectionBot) > previousValue) revert("Alert has been triggered, reverting");
    }

    function delegateTransfer(
        address to,
        uint256 value,
        address origSender
    ) public override onlyDelegateFrom fortaNotify returns (bool) {
        _transfer(origSender, to, value);
        return true;
    }
}

Writeup

  1. Get new instance.
  2. Get Vault address. 
    
 await contract.cryptoVault()
  3. Create a contract. 
     // SPDX-License-Identifier: MIT
 pragma solidity ^0.6.0;

 interface IDetectionBot {
     function handleTransaction(address user, bytes calldata msgData) external;
 }

 interface IForta {
     function setDetectionBot(address detectionBotAddress) external;
     function notify(address user, bytes calldata msgData) external;
     function raiseAlert(address user) external;
 }

 contract MyDetectionBot is IDetectionBot {
     address constant VAULT = YOUR_VAULT_ADDRESS;

     function handleTransaction(address user, bytes calldata msgData) override external {
         // The first four bytes is the hashed signature of the function.
         // The rest of bytes are hashes of the arguments being passed to the function.
         (,,address origSender) = abi.decode(msgData[4:], (address, uint256, address));

         if (origSender == VAULT) {
             IForta(msg.sender).raiseAlert(user);
         }
     }
 }
  4. Use MyDetectionBot address as parameter to call setDetectionBot method in Forta contract. You can find Forta contract address by call below method in chrome console: 
    
 await contract.forta()
  5. Submit instance ΞΎ( βœΏοΌžβ—‘β›)

Reference

Related posts

Archive

solidity picoCTF Go ethernaut linux blockchain sql react smart-contract typescript solana javascript java ethereum css Linux zsh ubuntu next.js jekyll hardhat golang ethers Secureum Rust web wallet vscode truffle shell rpc notion notes nodejs nextjs mocha html github git geth express eslint docker cloudflare Vim DSA